Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Secerno False Alarms whitepaper
1. WHI TE PAPE R
False Alarms and the
Hidden Cost of Ownership of
Inaccurate Database
Activity Monitoring Systems
Contents
2 Summary
2 The Right Call
2 The Path of a False Alert
3 The Cost of the False Positives
4 The Effect of the False Positives
4 Improving Security Performance –
Lowering Costs and Reducing Risk
4 About Secerno Database Activity
Monitoring
4 Conclusion
2. Summary The Path of a False Alert
We have all witnessed the steady flow of stories of If we are to understand the cost of even a single false
data breaches from around the world. Data loss positive alert, then we need to follow its flow and the
has become the new security nightmare, as the effects it has. Consider this imaginary but typical
database – the prime repository of all of the sensitive scenario:
information which ultimately defines a company’s
value – has come blinking into the spotlight for the It is mid-afternoon and…
first time. Previously felt to be impregnable, buried
as it was within the depths of the organisation, it has 1 Your Database Activity Monitoring system sees
now become perceived as one of the most vulnerable a statement which it considers to be anomalous.
elements in the architecture. Databases are prey Perhaps it contains a keyword that might indicate
to criminal organisations (often working through malicious activity. It triggers an alert.
your own employees) and frighteningly subject to
embarrassing accidental losses by staff flaunting, or 2 One millisecond later, your security event
being ignorant of, your own carefully crafted security management system receives the alert.
policies.
3 Around a minute later, the alert finds its way into an
Over the course of the last decade, consumers’ email batch sent to the first line support team.
concerns grew as the stories hit the press each week,
so government agencies responded with more and
more regulation, heaping on the compliance burden So far, so good. The alert has cost no money and
but not necessarily helping actual data security. The has found its way to the inbox of a person.
market duly responded and we see now the growth
of new solutions to address the new auditing and the Of course, the query itself will have executed
security needs. and the resulting data may well already be with
the requestor, unless you have your system in
Database Activity Monitoring (DAM) is one of these blocking mode.
new market sectors. It is growing rapidly – doubling in
size annually as companies adopt solutions to protect
their key data assets. Purchasing decisions are being 4 The front line support analyst sees the alert arrive
made based on notional functional requirements and and opens it up. Having read the information
the ticket price of the solutions on offer. But what does supplied, he concludes that he is not sufficiently
it really cost to protect your data effectively? What qualified to judge whether the database query
are the key cost drivers which need to be taken into statement in question is malicious or not. It does not
account? look like a text book SQL injection attack – he has
seen enough of those before – but the DAM system
This paper seeks to address these questions with a obviously responded for a reason. He does a little
focus on the particular aspect of Database Activity research then decides to play safe, and escalates
Monitoring system ownership costs: the impact on your the event on to the Database Administrator currently
organisation of choosing a system prone to generating on call. Let us say this took half an hour.
false alerts – the cost of “Crying Wolf”.
5 Another fifteen minutes later, the on-call DBA
finishes his previous task and opens the message
The Right Call from support. He decides to deal with this
immediately. The database request certainly looks
The first wave of anomaly detection in application legal and is not obviously malicious. The next step
behaviour has depended on the tried, tested and partly requires application knowledge to answer the
trusted approaches originally developed for host and question: “Does the query fit within the context of the
network intrusion prevention in previous decades. The company’s applications?” Fifteen minutes later the
approaches are probabilistic – looking for elements DBA decides to escalate the alert to the Application
in each query which MIGHT indicate anomalous Support Group for advice on source code.
behaviour – and are based on detecting known threats
using signatures.
It is now one hour since the original alert was
In technology terms, these approaches represented triggered. It has been through two people’s
the industry’s best bet – they were known to have their hands. The data resulting from the query is in a
weaknesses but they were all there was available, spreadsheet being sliced, diced and acted upon.
and some protection is better than none of course.
However, there is a fundamental problem with these
approximate approaches which in practical terms 6 The Application Support Group specialist looks at the
renders them ineffective in security terms: they alert information for a few minutes then passes the
are prone to generating far too many false positive case over to their resident DBA.
responses. False alarms drive operators to distraction,
inflate the true cost of ownership and eventually lead to 7 The Application Support Group DBA is a little
the devices being tuned down or disabled. perplexed. It sort of looks reasonable to him. Sure,
the use of this particular query structure is rather
A new generation of DAM solutions has become inelegant, but it is legal SQL. The “Our-town Credit
available now, alongside these first entrants. So how Union” subject of the query looks fair enough. They
do you weigh up the cost of owning these against the are a new customer, but presumably legitimate. He
older products – how much will they save you? Hence, calls up the application source code. And, just to be on
the question we seek to answer now is: what is the cost the safe side, as this is a security alert, he escalates
of generating false positive alerts? the issue to his manager as “under investigation”. This
all takes him an hour. He eventually sends the query
2
3. information back to the Application Support Group 10 A further email to the IT administrators over there
specialist to confirm his conclusion that the query eventually confirms that the query originated from
was legally generated from their own applications. a hot desk in room 6.2.13. There is no-one there, of
course, as the query was issued yesterday. But the
8 The DBA’s manager sends an email at the end of log shows who had been there. They are called and
the day to the security team with alert details. they eventually confirm their legitimate use of the
application and query data.
We are now three hours into the event. The 11 The Security Team mark the incident ticket as
Security Group has the alert for investigation, closed, more than 24 hours after the query had
though the message is on its way back to triggered the alert.
front line support that the query was probably
generated legally, by the company’s own 12 The incident response team looks at the policy
applications. description on the DAM system and realise that
the “Union” element in the customer’s name
had triggered a signature used for checking for
9 The IP address originating the query came from potentially malicious UNION instructions in SQL.
within the company, so the Security Analyst receiving They disable the rule concerned.
the query contacts the Operations Group. The next
morning, they confirm that the query originated in the A day after the false alert was generated and
Sales Department in Building 6. the incident is closed, while the results data
from the query are on a memory stick on the
other side of the country. No harm was done in
this case.
The Path of a False Alert
12 Day 2
Time elapsed
DATA
26 hours
20 SECONDS SQL STATEMENT
Rule disabled
Time elapsed
30 minutes
Day 1
DAM DBA
SQL STATEMENT EMAIL ALERT SIEM EMAIL ALERT EMAIL
SYSTEM
1 2 3 4
1st Line Support Team
Time elapsed Time elapsed
1 millisecond 1 minute
Day 1 Day 1 Day 1
Time elapsed
60 minutes
Day 1
Incident Closed
Time elapsed
Operations Team IT Admin Team 140 minutes
5
EMAIL
EMAIL
Day 1
Time elapsed
9 Day 2
Time elapsed
Day 2
Time elapsed
10 Day 2
Time elapsed
7
3 hours and 18 hours and 20 hours 20 hours and
15 minutes 30 minutes Room 15 minutes
Email Query Building Number Email Query
“Which building did
it come from?”
Name “Which room?” Day 1
Time elapsed
6
125 minutes
EMAIL ALERT ASG MANAGER 7 DBA
DETAILS EMAIL
End User Security Team Application Support Group
Day 1
Time elapsed
10 Time elapsed
23 hours
3 hours
Incident Closed
8
Day 2
11 Day 2
Time elapsed
25 hours
The Cost of the False Positives
So what happens now? There have been ten such false Ten such alerts have been generated during the
positive alerts from the system in the intervening time it took to clear this one, building up a potential
24 hours, all worthy of investigation. The DAM system response cost of $12k/day, just on false positives
has seen 15 million SQL statements flow past in that alone. Within two weeks, you will have spent more
time, so a false alarm rate appears low, at first glance, chasing false alarms than you did on the box itself.
at below one per million. But consider the cost to the
organisation: Following the same logic, ten full-time equivalent
staff would be required just to respond to this
A minimum of eight people have been involved system alone.
in investigating this process and at least one
person-day was used to resolve and document The appliance that cost $50k to buy is costing
the issue fully. We can estimate the full cost to the hundreds of thousands of dollars to run.
organisation at around $1,200.
3